Splunk Cloud Platform

python code not working after declaring python3

DataOrg
Builder

external script was working in python2x version but after forcing to use pythion3, its return with error code 1. python script.

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
import StringIO

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO.StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO.StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

@kamlesh_vaghela

 

[xmlformat]
filename = xmlformat.py
retainsevents = true
overrides_timeorder = false
run_in_preview = false
streaming = true
python.version = python3

 

 

Labels (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg 

Your provided script is not compatible with python3. You can validate by executing below command. It will execute script and gives you appropriate error. 

/opt/splunk/bin/splunk cmd python3 /opt/splunk/etc/apps/MyApp/bin/myscript.py

 

I did the same for you. Can you please try below script?

 

import sys,splunk.Intersplunk
import xml.sax
import xml.sax.saxutils as saxutils
from xml.sax.handler import ContentHandler
from xml.sax.handler import EntityResolver
from xml.sax.xmlreader import InputSource
try:
    from StringIO import StringIO ## for Python 2
except ImportError:
    from io import StringIO ## for Python 3

class NullInputSource(InputSource):
    def getByteStream(self):
        return StringIO("entity files not supported.")

class NullEntityResolver(EntityResolver):
    def resolveEntity(self,publicId,systemId):
        return NullInputSource()

class XmlHandler(ContentHandler):
    def __init__(self):
        self.indent = 0

    def reset(self , r):
        self.current_output = ''
        self.indent = 0
        self.open_tag = ''

    def getOutput(self):
        return self.current_output

    def startElement(self, name, attrs):
        self.open_tag = name
        self.current_output += '\n' + '  ' * self.indent
        self.indent += 1
        self.current_output += '<' + name

        if attrs.getLength() > 0:
            for k in attrs.getNames():
                self.current_output += ' ' + k + '=' + saxutils.quoteattr(attrs.getValue(k))
        self.current_output += '>'

    def characters(self, content):
        if len(content.strip()) > 0:
#            self.current_output += '  ' * self.indent
            self.current_output += saxutils.escape( content ) #+ '\n'

    def endElement(self, name):
        self.indent -= 1
        if self.open_tag != name:
            self.current_output += '\n' + '  ' * self.indent
        self.current_output += '</' + name + '>'

try:
    results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()

    handler = XmlHandler()

    for r in results:
        try:
            if 'xml' in r:
                xml_text = r['xml']
                dest_field = 'xml'
            else:
                raw = r["_raw"]
                dest_field = '_raw'

                xml_text = raw[ raw.index( '<' ) : raw.rindex( '>' )+1 ]

            handler.reset(xml_text)
            parser = xml.sax.make_parser()
            parser.setContentHandler(handler)
            parser.setEntityResolver(NullEntityResolver())
            parser.parse(StringIO(xml_text))

            r[dest_field] = handler.getOutput()

            if 'xml' in r:
                xml_text = r['xml']
            else:
                raw = r["_raw"]

        except:
            import traceback
            stack =  traceback.format_exc()
            r['_raw'] = "Failed to parse: " + str(stack) + "\n" + r['_raw']

except:
    import traceback
    stack =  traceback.format_exc()
    results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

 

Happy Splunking

KV

DataOrg
Builder

@kamlesh_vaghela thanks for the help and teaching for debugging the code . awesome

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@DataOrg  let me check it. BTW Which Splunk version you are using? Splunk 8.0.5 or higher?

0 Karma

DataOrg
Builder

@kamlesh_vaghela  splunk cloud version is 

Version:8.0.2007.1

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...